From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: baines.jacob@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id c456eda9 for ; Fri, 22 Jun 2018 13:03:17 +0000 (UTC) Received: from mail-ot0-x230.google.com (mail-ot0-x230.google.com [IPv6:2607:f8b0:4003:c0f::230]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 66fd4bc1 for ; Fri, 22 Jun 2018 13:03:16 +0000 (UTC) Received: by mail-ot0-x230.google.com with SMTP id d19-v6so7412553oti.8 for ; Fri, 22 Jun 2018 06:08:18 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <6645df4c-3f98-6df9-fc48-6748ad4d6c00@unstable.cc> References: <6645df4c-3f98-6df9-fc48-6748ad4d6c00@unstable.cc> From: Jacob Baines Date: Fri, 22 Jun 2018 09:08:17 -0400 Message-ID: Subject: Re: PostUp/PreUp/PostDown/PreDown Dangerous? To: Antonio Quartulli Content-Type: multipart/alternative; boundary="000000000000adff3c056f3ab93f" Cc: WireGuard mailing list Reply-To: baines.jacob@gmail.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000adff3c056f3ab93f Content-Type: text/plain; charset="UTF-8" Hey all, I'm not familiar with WireGuard so I can only speak in an OpenVPN context. If the following doesn't apply to WireGuard at all than feel free to ignore me. My main problem with "--script-security" is that its useless. It just causes OpenVPN to spit a line into a log file (and by that time its too late anyways). That isn't a security mechanism. There also seems to be an expectation that users should understand these config files. I'm not sure why that is. Excuse my speaking in generalities but a majority of users aren't going to understand how OpenVPN works, let alone how the configuration file affects the program. Many users (myself included) simply receive config files from our bosses or our IT guy and trust that they aren't malicious. Call me naive or foolish but I don't review every single file passed my way for malicious content. Furthermore, I've heard a few times now "config files exec things". Off the top of my head, I can't think of any other applications that execute shell commands listed in their configuration file. I have no idea where that is coming from. Its not a smart practice from a security point of view. I'm not an OpenVPN expert. I'm just some guy that spent a little time reviewing the source. So I accept that my opinions might be bad. But if I was I dev I'd deprecate the entire system of executing programs listed in the configuration file. I'd try to migrate code into OpenVPN itself or the plugin system. At the very least, prompting the user and asking them for permission to execute whatever command seems like an improvement to me. -Jake On Fri, Jun 22, 2018 at 6:53 AM, Antonio Quartulli wrote: > > > On 22/06/18 18:46, Jordan Glover wrote: > > On June 22, 2018 3:56 AM, Antonio Quartulli wrote: > >> > >> In case this might be useful: in OpenVPN there is an additional > >> > >> parameter called "--script-security" that requires to be set to a > >> > >> certain level before allowing configured scripts to be executed. > >> > >> Unfortunately there is no real protection against the clueless user, who > >> > >> can and will blindly enable that setting if asked by a $random VPN > provider. > >> > >> However, I still believe (and hope) that forcing the user to enable a > >> > >> specific knob may raise the level of attention. > >> > >> Maybe something similar could be added as a command line parameter to > >> > >> wg/wg-quick so that it will execute the various > >> > >> PostUp/PreUp/PostDown/PreDown only if allowed to? > >> > >> Just as a side note: this is not a VPN specific problem, this is > >> > >> something users can end up with everytime they execute some binary with > >> > >> a configuration they have not inspected. So, be careful out there ;-) > >> > >> Cheers, > >> > > > > Attacker can pass appropriate "--script-security" level with the very > same config > > containing malicious commands so this isn't solving problem of not > looking at > > the content of config files. > > that's why I suggested to implement it as a command line knob for > wg/wg-quick. > > But I totally agree with you that against this kind of issues there is > not really a lot the developer can do - each of us is free to shoot > himself in the foot. > > Regards, > > -- > Antonio Quartulli > > --000000000000adff3c056f3ab93f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey all,

=C2=A0 I'm not familiar wi= th WireGuard so I can only speak in an OpenVPN context. If the following do= esn't apply to WireGuard at all than feel free to ignore me.
=
=C2=A0 My main problem with "--script-security" is= that its useless. It just causes OpenVPN to spit a line into a log file (a= nd by that time its too late anyways). That isn't a security mechanism.=

=C2=A0 There also seems to be an expectation that= users should understand these config files. I'm not sure why that is. = Excuse my speaking in generalities but a majority of users aren't going= to understand how OpenVPN works, let alone how the configuration file affe= cts the program. Many users (myself included) simply receive config files f= rom our bosses or our IT guy and trust that they aren't malicious. Call= me naive or foolish but I don't review every single file passed my way= for malicious content.

=C2=A0 =C2=A0Furthermore, = I've heard a few times now "config files exec things". Off th= e top of my head, I can't think of any other applications that execute = shell commands listed in their configuration file. I have no idea where tha= t is coming from. Its not a smart practice from a security point of view.

=C2=A0 =C2=A0I'm not an OpenVPN expert. I'm= just some guy that spent a little time reviewing the source. So I accept t= hat my opinions might be bad. But if I was I dev I'd deprecate the enti= re system of executing programs listed in the configuration file. I'd t= ry to migrate code into OpenVPN itself or the plugin system. At the very le= ast, prompting the user and asking them for permission to execute whatever = command seems like an improvement to me.

-Jake

=C2=A0=C2=A0
On Fri, Jun 22, 2018 at 6:53 AM, Antonio Quart= ulli <a@unstable.cc> wrote:


On 22/06/18 18:46, Jordan Glover wrote:
> On June 22, 2018 3:56 AM, Antonio Quartulli <a@unstable.cc> wrot= e:
>>
>> In case this might be useful: in OpenVPN there is an additional >>
>> parameter called "--script-security" that requires to be= set to a
>>
>> certain level before allowing configured scripts to be executed. >>
>> Unfortunately there is no real protection against the clueless use= r, who
>>
>> can and will blindly enable that setting if asked by a $random VPN= provider.
>>
>> However, I still believe (and hope) that forcing the user to enabl= e a
>>
>> specific knob may raise the level of attention.
>>
>> Maybe something similar could be added as a command line parameter= to
>>
>> wg/wg-quick so that it will execute the various
>>
>> PostUp/PreUp/PostDown/PreDown only if allowed to?
>>
>> Just as a side note: this is not a VPN specific problem, this is >>
>> something users can end up with everytime they execute some binary= with
>>
>> a configuration they have not inspected. So, be careful out there = ;-)
>>
>> Cheers,
>>
>
> Attacker can pass appropriate "--script-security" level with= the very same config
> containing malicious commands so this isn't solving problem of not= looking at
> the content of config files.

that's why I suggested to implement it as a command line knob fo= r
wg/wg-quick.

But I totally agree with you that against this kind of issues there is
not really a lot the developer can do - each of us is free to shoot
himself in the foot.

Regards,

--
Antonio Quartulli


--000000000000adff3c056f3ab93f--